LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK d. p. kelsey@rl. ac. uk 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 1
Overview Topics for agreement today • Rules for Use of LCG-1 • Audit Requirements • Incident Response • User Registration/VO Management Paper #36 Paper #37 Paper #38 Paper #39 Security Group meeting – 19 th June (phone) http: //agenda. cern. ch/display. Level. php? fid=68 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 2
Rules for Use of LCG-1 #36 • To be agreed to by all users (signed via private key in browser) when they register with LCG-1 • Deliberately based on current EDG Usage Rules – Does not override sites rules and policies – Only allows professional use • Once discussions start on changes – Chance we never converge! • We know that they are far from perfect • Are there major objections today? – One comment says we should define the list of user data fields (as agreed at the last GDB) • Use now and work on better version for Jan 2004 – Consult lawyers? 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 3
Audit Requirements #37 • UI • RB None – look at later • For origin of job submission • CE gatekeeper maps DN to local account • Keep gatekeeper and jobmanager logs • SE/Grid. FTP • Keep input and output data transfer logs • Batch system • jobmanager logs (or batch system logs) • Need to trace process activity – pacct logs – This is large • Central storage of all logfiles? Rather than on the WN • To be kept for at least 90 days by all sites 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 4
Incident Response #38 • Procedures for LCG-1 start (before GOC) – Incidents, communications, enforcement, escalation etc • Party discovering incident responsible for • Taking local action • Informing all other security contacts • Difficult to be precise at this stage – we have to learn! • We have created an ops security list (before GOC) – Default site entry is the Contact person but an operational list would be better • LCG-1 sites need to refine and improve • All sites must buy-in to the procedures 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 5
User Registration & VO Management #39 • User registers once with LCG-1 – Accepts User Rules – Gives the agreed set of personal data (last GDB) – Requests to join one VO/Experiment • We need robust VO Registration Authorities to check – The user actually made the request – User is valid member of the experiment – User is at the listed institution – That all user data looks reasonable • E. g. mail address • The web form will warn that these checks will be made • User data is distributed to all LCG-1 sites 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 6
User Registration aims • To provide LCG-1 with accurate information about users for – Pre-registration of accounts (where needed) – Auditing (legal requirements) • To ensure VO managers do appropriate checks – To allow LCG-1 sites to open resources to VO • BUT… the current procedures have limited resources – To some extent has to be “best efforts” • E. g. do we need backup VO managers? 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 7
VO Registration (2) • Today’s VO managers – ALICE Daniele Mura INFN – ATLAS Alessandro De Salvo INFN – CMS Andrea Sciaba INFN – LHCb Joel Closier CERN – DTEAM Ian Neilson CERN • Plan to continue to use the existing VO servers and services (run by NIKHEF) and the current VO managers (all agree to continue) – DTEAM run at CERN 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 8
VO/Experiment RA • For LCG-1 start • VO manager checks request via one of – Direct personal knowledge or contact (not e-mail) – Check in official CERN or experiment database – With official experiment contact person at employing institute • Signed e-mail? (not done today) • Identity and employing institute are the critical ones • VO managers/LCG registrar to maintain a list of institutes and contact persons • Work needed on more robust procedures for 2004 – That can scale • With distributed RA’s? 8 -Jul-03 D. P. Kelsey, LCG-GDB-Security 9
Скачать презентацию LCG GDB Security Report from the LCG Security Group
470da0dc16848908f374031683e4e035.ppt